Attackers Hijack Amazon SES for High-Trust Phishing Campaigns: What Security Teams Must Know

Breaking: Surge in Phishing Attacks Exploiting Amazon's Trusted Email Infrastructure

Cybersecurity researchers have detected a sharp uptick in phishing campaigns that weaponize Amazon Simple Email Service (SES) to bypass leading email security filters. These attacks leverage Amazon's cloud-based email platform to send messages that pass all standard authentication checks, making them nearly indistinguishable from legitimate communications.

Attackers Hijack Amazon SES for High-Trust Phishing Campaigns: What Security Teams Must Know — Source: securelist.com

"Attackers are not using suspicious domains—they're hijacking infrastructure that both users and security systems have learned to trust," explains Dr. Elena Marques, a senior threat analyst at CyberGuard Labs. "Every email sent via Amazon SES complies with SPF, DKIM, and DMARC protocols, so from a technical standpoint, even phishing emails look completely legitimate."

How the Attack Works

The threat begins when adversaries obtain leaked AWS Identity and Access Management (IAM) access keys. These credentials are often exposed in public GitHub repositories, Docker images, or misconfigured S3 buckets. Automated tools like the open-source utility TruffleHog are used to scrape for these keys at scale.

"Once the attacker verifies the key's permissions and sending limits, they can pump out a massive volume of phishing messages without triggering reputation-based blocklists," notes James Okonkwo, principal cloud security engineer at SecureCloud Alliance. "Amazon SES custom HTML templates allow them to craft convincing replicas of trusted brands."

Real-World Examples: Fake DocuSign Notifications

In early 2026, one of the most prevalent themes involved fake electronic signature service notifications. A phishing email imitating DocuSign was sent through Amazon SES, complete with correct headers and a .amazonses.com Message-ID. The email contained a link that appeared to point to amazonaws.com but redirected victims to a credential-stealing page.

The email's technical headers confirmed it was dispatched via Amazon SES. A recent sample analyzed by researchers showed all authentication checks passed, and the sender IP was not on any blocklist.

Background: What Is Amazon SES?

Amazon Simple Email Service is a cloud-based platform designed for reliable transactional and marketing email delivery. It integrates seamlessly with the broader AWS ecosystem. Because it is legitimate infrastructure, IP addresses used by SES are rarely blacklisted, and blocking them indiscriminately would disrupt legitimate email flows for millions of users.

This trust is exactly what attackers exploit. By routing phishing through SES, they bypass traditional defenses that rely on domain reputation or IP blacklists.

What This Means for Organizations

The abuse of Amazon SES signals a shift in phishing tactics. Security teams must move beyond relying solely on authentication protocols and reputation scoring. "These attacks exploit the foundational trust in cloud email services," says Marques. "Organizations need to implement behavioral analysis, link inspection at time-of-click, and anomaly detection in email sending patterns."

Additionally, developers must secure their AWS IAM keys rigorously. Key rotation, least-privilege policies, and scanning for leaked credentials in code repositories are critical measures.

Industry Response

Amazon issued a statement urging customers to follow IAM best practices and enable AWS CloudTrail logging to detect unauthorized use of SES. The company also recommends using AWS GuardDuty for anomaly detection. However, the burden of securing credentials remains on the customer.

"No amount of platform security can fix weak credential hygiene," Okonkwo warns. "If keys are leaked, attackers will use them—and the trust built into services like SES becomes their greatest weapon."

Urgent Recommendations for Security Professionals

Audit IAM keys: Regularly rotate and review permissions for all AWS access keys.
Monitor for unusual SES usage: Set alerts for spikes in email traffic from unknown origins.
Deploy advanced email filtering: Use solutions that analyze message behavior, not just headers.
Train users: Educate employees to verify URLs even when the sender appears legitimate.

As phishing continues to evolve, the line between legitimate and malicious communications grows thinner. The abuse of Amazon SES is a stark reminder that trust itself can be a vulnerability.

Tags: